CVE-2022-25813

Summary

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache OFBizApache OFBiz <= 18.12.05affected

Weaknesses

  • CWE-1336: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

ADP Enrichment

CVE Program Container

Additional References

References